February 4, 2013

Cyber Fail
The Obama administration's lousy record on cyber security

Barack Obama is probably America’s most web-savvy president ever. But when it comes to actually crafting policy for the nation's cyber security, his administration has been consistent in only one aspect: bluster. Obama's major legacy on cyber security, it increasingly seems, will be an infrastructure for waging a non-existent “cyber war” that's incapable of defending the country from the types of cyber attacks that are actually coming.

The Obama administration wants the public to believe it is taking cyber security seriously. In October last year Defense Secretary Leon Panetta darkly warned, yet again, of a “Cyber Pearl Harbor,” an attack that could cause “physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability.” In November, President Obama signed a directive that, for the first time, “established principles and processes for the use of cyber operations,” including the offensive use of computer attack. The Pentagon, meanwhile, has reportedly been at work on the rules of engagement for battle in cyberspace.

The administration's latest initiative came last week, when the Pentagon leaked its plans to massively boost its Cyber Command. What had been a 900-person nascent military outfit housed at Fort Meade in Maryland will be expanded to a team of 4,900. The move, the Washington Post reported with excitement, was designed to turn a largely defensive organization into a more offensively-minded “Internet-era fighting force.”

But neither the Obama administration's actions, nor its rhetoric are backed up by the facts. 2012 was by all accounts a busy year for cyber security; indeed, it was the busiest on record. There were the multiple instances of creatively-named malware incidents—Flame and Gauss, Shamoon, Red October, and Mahdi. (The latter was a major sabotage attack against the oil company Saudi Aramco that deleted the hard drives of as many as 30,000 of the company’s workstations, although it didn’t succeed in interrupting the oil production.) There were major denial-of-service attacks against the websites of leading US retail banks. And most recently The New York Times and other news organizations revealed that Chinese hackers rummaged around in their networks for several months.

But the rhetoric of war doesn't accurately describe much of what happened. There was no attack that damaged anything beyond data, and even that was the exception; the Obama administration's rhetoric notwithstanding, there was nothing that bore any resemblance to World War II in the Pacific. Indeed, the Obama administration has been so intent on responding to the cyber threat with martial aggression that it hasn't paused to consider the true nature of the threat. And that has lead to two crucial mistakes: first, failing to realize (or choosing to ignore) that offensive capabilities in cyber security don’t translate easily into defensive capabilities. And second, failing to realize (or choosing to ignore) that it is far more urgent for the United States to concentrate on developing the latter, rather than the former.

At present, the United States government is one of the most aggressive actors when it comes to offensive cyber operations, excluding commercial espionage. The administration has anonymously admitted that it designed Stuxnet (codenamed Olympic Games) a large-scale and protracted sabotage campaign against Iran’s nuclear enrichment facility in Natanz that was unprecedented in scale and sophistication. Close expert observers assume that America also designed Flame, a major and mysterious espionage operation against several Middle Eastern targets mostly in the energy sector. The same goes for Gauss, a targeted and sophisticated spying operation designed to steal information from Lebanese financial institutions.

Developing sophisticated, code-borne sabotage tools requires skills and expertise; they also require detailed intelligence about the input and output parameters of the targeted control system. The Obama administration seems to have decided to prioritize such high-end offensive operations. Indeed, the Pentagon's bolstered Cyber Command seems designed primarily for such purposes. But these kinds of narrowly-targeted offensive investments have no defensive value.

So amid all the activity, little has been done to address the country's major vulnerabilities. The software that controls America's most critical infrastructure—from pipeline valves to elevators to sluices, trains, and the electricity grid—is often highly insecure by design, as the work of groups like Digital Bond illustrates. Worse, these systems are often connected to the internet for maintenance reasons, which means they are always vulnerable to attack. Shodan, a search engine dubbed the Google for hackers, has already made these networked devices searchable. Recently a group of computer scientists at the Freie Universität in Berlin began to develop their own crawlers to geo-locate these vulnerable devices and display them on a map. Although the data are still incomplete and anonymized, parts of America's most vulnerable infrastructure are now visible for anyone to see.

Defending these areas ought to be the government's top priority, not the creation of a larger Cyber Command capable of going on the offense. Yet the White House has hardly complained that the piece of legislation that would have made some progress towards that goal, the Cybersecurity Act of 2012, has stalled indefinitely in the Senate.

Yes, the administration is currently preparing an executive order to circumvent Congress. But a leaked draft of the document shows that private sector lobbying has successfully managed to soften it dramatically. The White House’s rather humble goal now seems to be the creation of a yet to-be-defined “framework,” one that would create voluntary incentives for companies to abide by new security standards only a full year after publication. Worse: the Department of Homeland Security, the document says, “shall not identify any commercial information technology product.” But the very battlefield for cyber attacks is almost exclusively in the hands of private companies. How can their vulnerabilities be corrected if they can't even be identified? It calls into question whether Obama is really serious about defending the nation against cyber attack.

The presidential directive also seems to be contradicted by the recent announcement about the Pentagon's Cyber Command. The Pentagon's cyber-operations annex will also be tasked with securing national infrastructure. It's not yet clear how that authority will align with the Department of Homeland Security's responsibility to enforce Obama's executive order; nor is it clear what kind of legal authority the Pentagon would have in investigating the security arrangements of private companies deemed critical to national infrastructure. “There’s no intent to have the military crawl inside industry or private networks and provide that type of security,” one official hastened to tell the Washington Post.

But it is telling that an administration that vowed to be unprecedentedly open and transparent with the public, while being tough on national security leaks, has chosen to ignore these principles in its approach to cyber security. The Obama White House treats cyber security as a mission that the public can be informed about through furtive leaks and unidentified officials, cloak-and-dagger style.

An impressive contrast is not far out of view: The New York Times handled its recent attack with graceful transparency. Such transparency engenders accountability and trust—resources crucial to a massive undertaking like the protection of the entire country's digital infrastructure. The Obama administration would be wise to crib from the Times' model. Unless its goal isn't cyber defense, but cyber offense—a statement of priorities that it would also be the public's right to know.

Thomas Rid is a reader at the Department of War Studies, King's College London and author of Cyber War Will Not Take Place.